Tuesday, 25 August 2015

Understanding SPF Records (Part 2)

Overview

In part 1, we went through how to create a basic SPF record. In this part, we'll discuss the other options that are available when using SPF records.

A

The A method informs the recipient email server to check A records for your SMTP domain (contoso.com in these examples) or you can specify another domain to check for A records. For each option, you can specify whether you want to include all IPs in the subnet for each A record. Examples are below:Include all A records for your SMTP domain:v=spf1 a -allInclude all A records for your SMTP domain and also include all IPs in the /24 subnet for each IP that the A records reference:v=spf1 a/24 -allInclude all A records for your SMTP domain and A records for another domain:v=spf1 a a:sales.contoso.com -all

Include A records for your SMTP domain, A records for another domain and also include the IPs in the /24 subnet for each A record:v=spf1 a/24 a:sales.contoso.com/24 -all

Include

The include method informs the receiving email server that another SPF record should be checked. This is useful in larger organizations where different teams manage the public facing SMTP servers for different regions or datacenters and you want to allow these teams to manage their own permitted sending IPs.

To do this, you can use a 'top level SPF' record and include 'sub-SPF' records. All permitted senders in all sub-SPF records will be checked when evaluating whether the email is sent from a permitted sender.

For example, you have two datacenters and your sending domain is contoso.com:

Datacenter A:

Permitted senders: 195.168.1.0/28

Datacenter B:

Permitted senders: 105.168.1.0/28

Step 1: Create the top level SPF record

Your top level SPF record will be configured as a TXT record on contoso.com:

v=spf1 include:spf-a.contoso.com include:spf-b.contoso.com -all

Step 2: Create DNS zones

You then need to create two public DNS zones: spf-a.contoso.com and spf-b.contoso.com.

Step 3: Configure the additional SPF records

Datacenter A: Configure this SPF record as a TXT record on zone spf-a.contoso.com:

v=spf1 ip4:195.168.1.0/28 -all

Datacenter B: Configure this SPF record as a TXT record on zone spf-b.contoso.com:

v=spf1 ip4:105.168.1.0/28 -all

Step 4: Confirm SPF records exist

To confirm the SPF records, you can use nslookup, specify the lookup type to be TXT and then check the SPF records for three domains: contoso.com, spf-a.contoso.com and spf-b.contoso.com. See below:

MX

When specifying MX, the recipient checks the IPs of the MX records for your domain and if they match the IP of the sending SMTP server, the sender is verified and the email is allowed. To include just the MX records for your SMTP domain, use the below:

v=spf1 mx -all

You can also specify the MX records of a different SMTP domain. This is useful if you are using a domain only for sending email and don't have any MX records but you are sending email from IPs that are MX records for a different domain.

For example, if your sending email from SMTP domain sales.contoso.com using the same IPs as the MX records for contoso.com and not sending from any other IPs then you would use the below SPF record:

v=spf1 mx:contoso.com -all

You can also specify that you want to include all IPs in the /24 subnet of each MX record. In this case, you use an SPF record as below:

v=spf1 mx/24 -all

If you want to both specify that the entire subnet can send email, use MX records from different domains (contoso.com and litwareinc.com)and their associated /24 subnets while also using your own MX records and associated /24 subnets, you'd use the below SPF record:

v=spf1 mx:contoso.com/24 mx:litwareinc.com/24 mx/24 -all

Conclusion

In this part, we looked at the more advanced options we can configure in the SPF record. In the next part, we'll take a look at how to troubleshoot SPF records which is useful if your email is being marked as spam or you are marking other senders as spam when doing SPF checks. More information is here.